Despite forecasts of its multi-billion dollar potential, the online community is still in the pioneering era of electronic commerce. More profit is being made by selling advertising space on the "Net" and by promoting Internet stocks than by the online sale of goods and services to consumers. By mid-1998, only 4% of Canadians had made a purchase online. 1The volume of public discourse on the subject has noticeably increased, however, particularly during the recent holiday season when time-pressed consumers turned to their computers to help them gift shop. Did they buy or just browse? How did they assure themselves of the legitimacy of the merchant or the product? Did they save time over more traditional merchant - consumer transactions? Was it more convenient? How did they pay? How secure was their personal information in making the payment? Were there problems with delivery? What if the goods did not meet their expectations? How were complaints and returns handled? The answers to these and similar questions are only beginning to be collected, and credible analysis of the data is still on the drawing board. What can be examined, though, is the range of approaches being implemented by online purveyors of goods and services and their associations, (the "Vendors"), to encourage consumers to take the leap from "browse" to "buy".

The premise of this paper is that a strategic analysis of disputes, both potential and actual, has been employed by Vendors in seeking to overcome consumer resistance to actively engaging in electronic commerce. Consumer confidence is thought to produce sales, and a significant element in earning consumer confidence is in dealing with problems and concerns in acceptable ways. The varied responses to the dispute analysis will be examined, including policies and programs aimed at dispute avoidance or prevention, as well as adaptations of dispute resolution processes to the online environment.2

Before moving on to the Vendors' dispute management strategies, a few words are in order about traditional dispute resolution in the physical world. Our civil justice system of resolving disputes is a fundamental underpinning of a stable, advanced society. We have, in large measure, substituted courts and litigation for wars and other power-based mechanisms for resolving disputes between citizens. The system has evolved to give the litigant his or her "day in court" in which to tell the judge about the events that led to the dispute. Elaborate rules of evidence and discovery govern this adversarial process, so lawyers are needed to guide the litigant. The complexity of the public court process and the time it takes to navigate have put it beyond the means of the average person. 3 Consequently, other private mechanisms for resolving disputes have been developed, both for business and consumer disputes. Most of these processes are not new, e.g. mediation and arbitration, and they do not supplant the civil justice system, but can operate quite effectively in conjunction with or in the shadow of the court system 4 . They are collectively referred to as Alternative Dispute Resolution or ADR.

B. Barriers to Electronic Commerce

Internet use is expanding by leaps and bounds. Some of its attractions include those very elements that pose barriers for electronic commerce. Its anonymity appeals to us as window-shoppers, but it also means that neither the Vendor nor the consumer really know with whom they are dealing, or if they are legitimate. The global scope of the Internet is an invaluable asset for researchers, but it opens the possibility that the parties to an electronic transaction are half a world away from one another, operating in different cultures, with different laws and conflicting expectations. That the Internet is largely unregulated and free from the intrusion of governments and laws has great appeal for some users. The flip side is that the Internet is not immune to fraud and deceit, and it is uncertain which national laws apply to a bi-national electronic transactions, and how they can be enforced in another country.

Two of the more significant barriers to purchasing on the Internet are privacy and security concerns. IBM highlights the payment security problem in reporting on a survey by Nordicity that indicates that 78% of Canadian Internet users are concerned about making their credit card payments on the Internet 5. Advances in encryption and other technologies have allayed those concerns to the extent that consumers are now adopting Internet Banking in increasing numbers, but the time may never come when Vendors can guarantee against the unscrupulous access or alteration of confidential information provided online. An array of approaches may be needed to offset that risk.

The other aspect of privacy that concerns consumers is the use to which their personal information may be put without their knowledge or consent. Technology is working against consumers here. Once an Internet user visits a Web site and leaves any personal information, either in concluding a transaction or, for example, in order to receive something the Vendor is offering, the user generates a data trail. That data can be readily collected by the Vendor in a "cookie" file and used for marketing purposes or sold to others without the user's consent.

A recent example at an Information Technology Law Conference brought home the significance of the increasing digitization of information and its application to new markets. A map-making company gave a demonstration of how, by using publicly available information, it could pinpoint and picture every parcel of land in the province, providing the additional information of who owned it, for how long, the purchase price, the assessed value and the annual taxes. It does not take much imagination to understand how this public information might be put together with previously private information to enhance its potential market, and why consumers might want a measure of control over how that information is used.

Canadians have not been silent on the issue. In an Angus Reid survey taken in July, 1998 6, nine in ten Canadians strongly disapproved of companies trafficking in information about their private lives without their consent, and ninety-four per cent felt that it important to have safeguards to protect personal information on the Internet.

The Province of Quebec is the only Canadian jurisdiction that has made its protection of privacy legislation apply to the private, commercial transactions. However, Canada was the first country to adopt a voluntary national standard. In 1996, Canada adopted the Canadian Standards Association's (CSA) Model Code for the Protection of Personal Information, which was developed by businesses, consumers and governments. That standard now forms the basis for Bill C-54, the Personal Information Protection and Electronic Documents Act, introduced in Parliament on October 1, 1998. If passed, the law would apply to commercial activities involving personal information, holding the commercial entities accountable for its use. On passage it will immediately cover the federally regulated sector, including broadcasting, telecommunications, and banking. Three years later it will govern all commercial transactions in Canada.

C. Consumer Purchasing Online

More consumers are making purchases online than was the case a year ago, but an examination of those purchases tells its own story. As recently reported in Consumer Quarterly:

According to research carried out for the Office of Consumer Affairs (Electronic Commerce Quantitative Report, Decision Resources Inc., June > 5, 1998), consumers who do shop on the Internet buy things from companies they are familiar with and have dealt with before. Purchasers are more likely to be male, have higher household incomes than average and see themselves as financial risk takers. The most popular Internet purchases are computer software and hardware, books and magazines, and CDs or cassettes. The research also shows that consumers cite three reasons for buying something through the Internet: the transaction involves little monetary risk, they buy from a previously known vendor, or they can't find the product or service through their usual retailers. Internet shoppers are quick to point out, though, that they are aware of the risks in buying online, see those risks as a trade-off for getting the product or service they want, and accept the responsibility for their transaction.7

The research portrays these early adopter consumers as a fairly timid lot. Despite their incomes and propensity for risk-taking, they buy from someone they know, unless what they want is just not available there. The lesson seems clear that to create a wave of more aggressive online consumers, Vendors will have to take what is essentially foreign and unfamiliar for most people, address their concerns about this new medium, and imbue it with a familiarity that inspires confidence. What follows is a discussion of some of strategies Vendors have initiated to do just that, their features, and how they differ from more traditional approaches in the physical world of buying and selling. Their common denominator is disputes: preventing them, minimizing them and resolving them.

D. Dispute Avoidance and Prevention Strategies

1. Certification

Certifying that a product or service meets a certain standard is not a new approach. The Good Housekeeping Seal of Approval is so well-known that the phrase has entered the language as denoting anything that has achieved a credible standard of approval. What is different about certification on the Internet is what it is applied to - concepts and technologies, and how it is accessed.

(a) Digital Security Certificates

Security is the number one consumer concern - one which is holding back the online purchase of goods and services on the Internet, and one that will undoubtedly produce a multitude of disputes for vendors if solutions are not found. Consumers are worried about: confidentiality of information provided, ensuring the integrity of the payment made, and authenticating the reputability of the merchant or service provider to ensure that what is purchased will actually arrive, and if there is a problem the merchandise can be returned or a complaint handled in a responsible way.

A segment of the financial services sector has developed a voluntary certification response to these concerns. It is a standardized industry-wide protocol specification designed to secure payment transactions and authenticate the parties involved in the transactions on open networks like the Internet. Secure Electronic Transaction or "SET", first announced in 1996, was developed by Visa and MasterCard in collaboration with a consortium of leading technology companies including Microsoft, Netscape, RSA, VeriSign and others. 8

The essential elements of SETare digital certificates that amount to a digital credit card for consumers, and a certification authority that ensures that merchants meet the standard, confirmed by the issuance of a SET mark. To date the consumer certification is up and running and more than 1.5 million digital certificates have been issued. Corporate partiners include financial institutions such as the Royal Bank of Canada and Bank of America, and other large corporations such as British Telecommunications, AT&T, Texas Instruments and America Online.

No merchant has yet been awarded the SET mark since the certification testing service is still not available. The certification testing to meet the SET standard is carried out by Tenth Mountain, a company formed by the payment card brands. Once the application and the merchant pass the certification testing, a SET mark is awarded. The roll- out of the testing will be first to consumers, then merchants, then Certificate Authority applications, then Payment Gateway applications.

The SET certificates that are issued after testing serve as digital identification that can authenticate the cardholder consumer or identify the merchant as a valid Visa, MasterCard, American Express, Diners Club or other payment card merchant - much as an individual signature or the card decal in the window does in a more traditional store.

What a SET cardholder certificate in combination with SET-compliant wallet application software for use on the personal computer from which Internet purchases are made does for the consumer is provide a higher level of security for the payment portion of the Internet transaction. It does not enable secure access to browsing or account inquiries. Other security options are available for that type of use such as SSL (secure socket layer) encryption for an entire Web site. The Web sites of most large Vendors will have both.

Under the SET protocol it is the cardholder or merchant software application which is responsible for determining whether or not to trust a certificate, based on the Certificate Revocation List that is maintained by the card brand certificate authorities e.g. Visa and MasterCard, and distributed to the consumer or merchant at the time of enrollment.

While the SET protocol, and others involving the issuance of digital security certificates, do not seek to provide any assistance to consumers in disputes arising from electronic transactions, they are beginning to overcome the trust barrier that was standing in the way of commerce on the Internet. A number of Canadian banks are now offering Internet banking and consumers are flocking to sign up for these services. It is too soon to draw the conclusion that if the certificate is issued by a Canadian bank, consumer confidence is restored, but it is a development worth watching.

(b) Privacy Policy Certification

A second certification response, known as TRUSTe., is "an independent, non-profit, privacy initiative dedicated to building users' trust and confidence on the Internet, and in so doing, accelerating growth of the Internet industry.9 It is recognized that consumers are reluctant to share personal information over the Internet because of concern over how it will be used. TRUSTe addresses those concerns by means of a formal information privacy policy, the issuance of a seal of approval or "trustmark" attached to the participant's Web site and an assurance process to ensure participants are abiding by their stated policies.

The fundamental principle of the TRUSTe program is that once appropriate disclosure of a Web site's privacy policy is made, and there is independent assurance that the policy will be adhered to, the consumer will be able to make an informed decision about whether or not to provide personal information. Its goal is to give the individual the power over what happens to his or her own information online.

The TRUSTe licensing program requires participating Web sites to disclose their information gathering and dissemination practices and at the very least to disclose: what type of information is gathered, how that information is used, who shares that information, whether consumers can request that their information not be used or shared, whether information can be updated later, and whether requests to be deleted from the participant's database will be honoured.

Potential licensees must also agree: to display the trustmark on their home page that discloses their policies, not to monitor e-mail or other communications to third parties except as required by law, to live up to their stated privacy policies even after the site leaves the TRUSTe program, unless is obtained directly from the user, and to cooperate with all TRUSTe reviews and audits.

If these privacy principles are met, the trustmark is issued for use in conjunction with the participating Web site. Clicking on the mark will bring immediate disclosure of the policy to the consumer's screen.

Up from approximately 30 Web sites a year ago, there are now hundreds of TRUSTe participants, including Vendors of every size and background. The program maintains a current list on its Web site so that consumers can verify the validity of a TRUSTe trustmark at any time

The TRUST.e program employs several means by which participating site compliance with the stated policies is assured: initial and periodic reviews of the site, submitting personal information itself to participant sites, random site audits by official auditors to check for adherence to program principles, and feedback from online users to the TRUSTe Watchdog site with an assurance that all reported privacy concerns will be pursued.

If one of these means indicates potential or actual non-compliance by a participating Web site, the TRUSTe program employs an escalating investigation against the site. Potential sanctions include penalties, another audit or revocation of the participant's trustmark license. A year ago, the program indicated that extreme violations would be referred to the Federal Trade Commission in the United States for fraud and/ or deceptive practices prosecution, or breach of contract litigation could be pursued. Inquiries as to what would happen if the breach happened in Canada went unanswered. Now, the TRUSTe privacy seal program has expanded into Europe, and there are a number of changes on the dispute resolution front.

Significantly, informal resolution is included for the first time. TRUSTe, in accordance with DR best practices, requires consumers to first contact the Web Site they have a complaint about to voice the complaint and give them the opportunity to resolve the issue. If that fails, TRUSTe will facilitate a resolution between the consumer and their licensee. If that fails, they move into the escalating investigation phase. Extreme violations are referred to "the appropriate law authority.TRUSTe may pursue breach of contract or trademark infringement litigation against the site". 10

U.S. companies are thought by the European Union (EU) to have inadequate data protection laws, and until recently the U.S. federal government has encouraged self-regulation of privacy practices among Web sites and the electronic commerce industry in general, rather than introducing privacy laws. That changed to some extent after a U.S. Federal Trade Commission (FTC) survey which showed that only 14% of the randomly selected Web sites had any privacy policy at all, and only 2% of those had what could be called a comprehensive policy.11The FTC has now recommended that further incentives are needed for businesses to self-regulate, and that legislation is needed to regulate the collection of information from children. U.S. companies are reportedly "labouring mightily to head off the potential legislation" 12 . It would seem that they prefer a private sector solution, rather than the legislative option that the Canadian government is pursuing.

The EU Data Protection Directive, in force as of October 25, 1998, requires very strict protection of personal information, including a mechanism to obtain consent before using personal data, and one for regulating the export of data outside the EU. U.S. companies doing business in Europe will be obliged to adopt privacy standards that conform to the Directive. The TRUSTe program has recognized their need and is working to translate the privacy standards into meaningful recommended guidelines for its licensees, which will ensure compliance from country to country.

2. Money Back Guarantee Offering the consumer a money back guarantee, an old retailing strategy that has worked successfully for physical merchants for decades, has also found its niche on the Internet. The names are familiar - T. Eaton Co. Ltd. 13 Sears Canada Inc. See footnote 14 14 , J. Crew 15, and L.L. Bean 16 , for example. These merchants have built their reputations for reliability on the strength of their guarantees and have evidently decided not to tinker with a good thing.

The companies that offer the money back guarantees for merchandise ordered online do go further than they do for telephone or fax transactions. Most of them also explicitly reassure their customers as to the security of their personal and payment information in the course of the purchasing transaction. The Sears Canada Inc. Web site speaks of "our secure web server" and "encrypted transmission with your browser to collect your personal and payment information". J.Crew answers the question: Is it safe for me to use my credit card? by saying: "Our web site is secure. We use the Secure Socket Layer Protocol to ensure that ordering information is sent directly to J.Crew,, and that only J.Crew can decode it." 17

These companies clearly recognize the consumer's reluctance to offer personal and credit card information online despite the use of the most secure encryption technology, and offer alternative payment mechanisms. Their Web sites make it very easy to download and fill out an order form, using product information from the site, then to print it and fax it for more secure ordering. None of them accept ordering by e-mail as it is considered insecure.

There also appears to be some tacit recognition of the uncertainty as to which law applies to Internet transactions. L.L. Bean will not accept orders from outside the United States online, although it will by fax or telephone. Sears Canada Inc.'s Web site acknowledges that it does business primarily in Canada and that it is limited in what it can ship outside the country.

3. Security GuaranteeAnother approach in addressing consumer concerns about security of private information is to provide a security guarantee. At one end of the range is Ticketmaster Canada Ltd.'s explanation of the security it offers and its pledge of support for "the aggressive efforts of the interactive industry's leading companies in developing better tools, technologies and standards facilitating electronic commerce via the Internet's World Wide Web. As enhancements are introduced they will be incorporated into our Web site." 18

At the other end of the range is Amazon.com's Safe Shopping Guarantee 19 that for any unauthorized use of the consumer's credit card resulting from a purchase through its secure server that is not covered by the credit card provider, it "will reimburse you for the remaining liability, up to a maximum of fifty dollars U.S." (the typical deductible charged by most banks).

Amazon.com goes further than most online merchants and enshrines its security guarantee and its privacy policy in its customer "bill of rights". It enables the consumer to opt in or out of its subscriptions and updates. It also asserts that it does not sell or rent information about its customers to third parties, and provides an e-mail address:
This email address is being protected from spambots. You need JavaScript enabled to view it.
for those who wish to ensure that their information is never shared in the future. This approach has obviously worked to instill confidence in consumers about purchasing online from Amazon.com, as its book sales in both Canada and the United States have been one of the success stories of commerce on the Internet. 4. Other GuaranteesAs in the physical marketplace, merchants on the Internet tailor their guarantees to their products. Compact discs can be duplicated so money back guarantees are not practical. Online purveyors of CD's such as Tower Records instead offer to replace returned items with other CD's of similar value. Tower Records also says more than most about dispute resolution on its Web site. 20 It asks for a thorough description of a shipment problem and undertakes: "We will do whatever it takes to solve your problem". On international orders where the wrong CD was shipped, it simply says e-mail us and: "we'll work it out".

5. Try Before You Buy A strategy used by vendors of software on the Internet to overcome consumer resistance to making a purchase, is to offer a pre-purchase trial. It can take a number of forms, but a typical offer is made by PC Law.. It is software providing accounting and time-keeping for lawyers. The potential purchaser is invited to download a demo of the software from the Web site 21 to get a full understanding of the capabilities and the ease of use of the program.

The e-Warehouse is an online merchant site where many software publishers sell their products. As well as being a licensee of the TRUSTe program and offering a 100% satisfaction guarantee, it enables any purchaser to try software downloaded from its Web site for 30 days. Upon the customer's request within 30 days, together with the receipt and a certificate that the software has been deleted from the purchaser's system, a full refund will be provided. 22 This example falls somewhere between a money back guarantee and a try before you buy initiative because of the instantaneous nature of the delivery. The Certificate of Deletion addresses the practical problem that the software may easily be duplicated and then returned, and basically relies on the honour system to ensure compliance. 6. Codes of Ethics and Standards of Practice

All of the foregoing approaches used by online merchants to build consumer trust in electronic commerce are based on ethical behaviour. For example, only the most reputable merchants are willing to stand behind the quality of their products to the extent of offering a full refund if the customer is not satisfied. The Canadian Direct Marketing Association (CDMA) has taken that several steps further and codified the ethics and standards of practice of its members as they relate, inter alia, to commerce over the Internet. 23The CDMA Code, which is appended as Appendix I, covers such subject areas as product safety, marketing to children, and protection of the environment. It adopts as its standard for the protection of personal privacy the principles of the Organization for Economic Co-operation and Development (OECD). The seven principles of personal privacy adopted are:

Give consumers control over how information about them is used, Provide consumers the right of access to information, Enable consumers to reduce the amount of mail they receive, Control the use of information by third parties, Safely store information about consumers, Respect confidential and sensitive information, and Enforce the provisions of the code. E. Is Prevention or Avoidance Enough?

There will always be some products or services that do not give satisfaction - even if purchased from the most reputable Vendors. Strategies such as guarantees and certification will avoid or minimize the potential conflict arising from such deficiencies, but there will still be differences of opinion as to what or who caused the deficiency, and smaller Vendors may not be in a position to automatically absorb the loss. The issues also become more problematic as the cost of the product or the complexity of the service increase.

In the physical world of commerce, vendors of expensive consumer products and complex services work hard at developing a relationship with their customers because they understand that the confidence inspired by the relationship is likely to lead to the purchase of more or higher value goods and services. One facet of enhancing that "relationship" is offering an acceptable, low cost means of resolving disputes that may arise with the customer about the product or service. These programs have proliferated in recent years. Examples include the Canadian Motor Vehicle Arbitration Plan (CAMVAP) for purchasers of automobiles, the Canadian Banking Ombudsman for customers of Canadian banks, the Law Society of Upper Canada's Pilot Mediation Program for the resolution of certain complaints against lawyers, and London Life's Customer Satisfaction Process offers external arbitration to its customers with issues that cannot be resolved internally.

Online Vendors have a few additional hurdles in seeking to build the all-important relationship with their customers, such as the lack of person-to-person contact and the scope of the potential market, but they too are beginning to develop dispute resolution programs. Not surprisingly, the first initiatives are to adapt programs that already exist for their customers. Examples are the Investment Dealers Association of Canada Arbitration Program for disputes between dealers and their clients, including those who have traded electronically, the Canadian Banking Ombudsman program, which covers complaints arising from electronic banking, and the Association of Shareware Professionals (ASP) Ombudsman service which is available to assist consumers resolve any problems with ASP members. These programs were not designed for the Internet and they employ physical world ADR approaches, principally arbitration and mediation.

What follows is a brief examination of the spectrum of physical world ADR approaches, a necessary background before considering how they may be effectively adapted for the Internet.